Massive Cyberattack Hits 10 Million Excellus Healthcare Customers
Rochester, New York-based Excellus BlueCross BlueShield has revealed to the world that cyberattackers have breached its IT systems. All told, the firm estimates 10 million members and individuals who do business with the company have been affected. Those affected include 7 million Excellus members and an additional 3.5 million members under the affiliate Lifetime Healthcare Companies.
Excellus called in FireEye’s Mandiant incident response division to investigate the breach. After Mandiant conducted a forensic assessment of its IT systems and confirmed the attack, Excellus notified the FBI and is now cooperating with the bureau’s investigation into the hack.
"Protecting personal information is one of our top priorities and we take this issue very seriously," said Christopher Booth, CEO of Excellus, in a statement. "We're making a broad range of services available today for our members, our employees and other impacted individuals to help protect their information."
How bad is it? The short answer is nobody knows yet. Mandiant has yet to determine that personal information on the company's IT systems was removed or used inappropriately.
However, the company has confirmed that attackers may have gained unauthorized access to such information as individuals' names, dates of birth, Social Security numbers, mailing addresses, telephone numbers, member identification numbers, financial account information and claims information.
"We have already taken aggressive steps to remediate our IT system of issues raised by this cyberattack," Booth said. "We sincerely regret any concern this may cause. We are providing free credit monitoring and identity theft protection to you for peace of mind. We also pledge to take additional steps to strengthen and enhance security to help avoid having something like this happen again.”
Excellus will mail letters to individuals who were affected and offer two years of free identity theft protection services through Kroll and credit monitoring powered by TransUnion. A dedicated call center has also been set up for members and other affected individuals. In addition, the company has set up a Web site -- excellusfacts.com -- that offers information on the breach and how to get protection services.
We turned to Tim Liu, CTO of next-gen firewall firm Hillstone Networks, to get his reaction to the security event. He told us the Excellus breach has the potential to be far more damaging depending on how the hackers use the data they have compromised.
“It’s proof positive how a single security penetration can disrupt the lives of millions of people,” Liu said. “As the victims will now have to be diligent in monitoring for signs of identity theft, organizations need to go beyond traditional security measures and adopt a more aggressive, proactive approach to cybersecurity with continuous monitoring, increased visibility and other safeguards in place to help discover these breaches before major damage can occur."
We also asked Idan Tendler, CEO of user-based analytics firm Fortscale, to get his insights into the hack. Tendler is a former commander of the 8200, the cyberwarfare division of the Israeli Defense Forces.
Tendler told us the latest breach involving Excellus is a textbook case study in how hackers are able to stay under the radar and go undetected for long periods of time.
“The hackers' ability to go unnoticed and gain unauthorized access to the company’s IT systems and the personal information of potentially thousands of people does not come as a surprise,” Tendler said. "We’ve seen this scenario play out in breach after breach, underscoring the need for organizations to constantly monitor their networks and be proactive in detecting and responding to suspicious user activity to prevent these types of breaches from occurring.”
Posted: 2015-09-15 @ 5:21am PT
Hopefully, the victims of the Excellus data breach WON'T accept the identity protection services that they're being offered by the company. The most effective safeguard against identity fraud can only be put in place by individual consumers.
Posted: 2015-09-14 @ 8:31am PT
Wow, just wow!
John Rosati, Los Angeles:
Posted: 2015-09-13 @ 11:34pm PT
Once again the Corporation issues a statement that regrets the hacking and will do their best to minimize the occurrence.
What does mean in plain elementary English?
Absolutely NOTHING. Another hypocritical and blatant useless statement. If they were concerned, the way they say, they should have provided and protected the files prior to the cyber attack. They FAILED their responsibility to protect the people that entrusted their personal data with them.
Posted: 2015-09-13 @ 9:05pm PT
Companies need to start separating fields for users .. and encrypting data so that a single individual (or their impersonator) cannot easily see everything for everyone!
Posted: 2015-09-13 @ 9:36am PT
Identity theft is a frightening and confusing prospect for most people. But never, never, NEVER pay for identity theft protection! There’s a proactive, do-it-yourself identity protection solution, and it's available to anybody for free. And you can do it in less than 10 minutes. Our inexpensive guide shows you how: IdentityProtectionForFree.com